Cloud // Platform as a Service
Commentary
8/16/2012
11:48 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

'Secure' Cloud File Sync Is The Wrong Move

Vendors playing to fears about the security shortcomings of Dropbox, SugarSync, and similar apps might as well be selling security blankets.

Just about every week, either in my role as an IT leader or as a columnist for InformationWeek, I get an email pitch about how Product XYZ is "more secure" than the consumer-based cloud file sync apps such as Dropbox and SugarSync. In one example, the vendor referred to a recent, human-related Dropbox security breach, opining: "The fact is that commercial cloud services are not secure data repositories. Period."

Broad brush statements like that one drive me crazy. Of course, any time data leaves your span of control, it's less secure. But for business to actually get transacted, sometimes we need to achieve a balance between security and functionality.

I spent a bunch of my career in the security world, so I understand that security folks sometimes freak out. The consequences of the wrong actions can be brutal, but the bottom line is that we can't just lock up the data. Our job is to classify use cases and help our business colleagues understand the risk-benefit ratio.

Why do your users choose Dropbox? Because, unlike a lot of cumbersome tools supplied by central IT, it just works. It's usable. It doesn't require a consultation with an IT help desk person.

One vendor pitched me recently on its product, which allegedly "works the same as Dropbox except it has really high security standards." Whatever that means. Just about any vendor is vulnerable to human-based breaches. Any time you put your data out there you're risking a breach. Don't get me wrong--the purpose-built "secure" products are probably more secure than the standard cloud sync app, but if they're out of your span of control, there's some level of risk.

Most of these "secure" vendors are missing the critical point about why cloud file sync is attractive. The business benefits don't come from the file sync app itself. They come from the ecosystem.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

What do I mean? Most of these "super lockdown" vendors pitch that their products work on BlackBerry, iPhone, Android. But the real value comes from the ease of use that comes from app integration into the cloud sync product. Vendors such as Dropbox, SugarSync, Box.net, and Google influence their developer communities to build support into their specific apps. In this way, you have direct support for notepad apps, Microsoft Office equivalents, photo apps, and the like.

You might get annoyed that these vendors don't just support secure WebDav (a standard for Web file sharing), but the fact is that doing file sync is fiendishly difficult. WebDav doesn't offer the same total solution for sync that the cloud file apps do.

So the ecosystem really matters because, to do cloud file sync right (where you're not getting frustrated by conflicting versions of files and other ugly things), vendors of productivity apps need a simple way to sync. The APIs and forums and community support that the cloud file sync vendors offer to third-party app developers really matter.

The ecosystem matters because adopting some strange, squirrelly vertical cloud file sync tool that nobody's ever heard of simply isn't going to work. It may make the security trolls at your organization feel better, but for them, I suggest buying a security blanket.

Assuming that the niche "secure" cloud file sync app works as well as the incumbent tool, not only will nobody want to use it, but nobody is going to be able to use it. The pervasive productivity apps don't support the niche products. For example, the latest Docs to Go supports Google Docs, Box.net, Dropbox, iDisk, and Sugar Sync. That's it. Not a highly secure niche solution among them.

Oh, you can use our secure tool within iOS or Android and then open it in another app, say the niche vendors' sales and PR folks. Really? And when you modify the doc, how does it sync back into the cloud? Hello, cumbersome!

There's no doubt that cloud-based file sync has created a huge security issue. But expecting to solve it with inadequate products isn't the way to go. Instead of IT acting like the no police and outlawing the tools that actually serve their user bases, IT can work with business leaders in several ways.

>> Establish and document acceptable use cases for cloud file sync. Not every use case is appropriate, obviously.

>> Integrate cloud file sync use case and other guidelines into your security awareness training.

>> Define the risks and then work with security personnel to establish what the mitigation strategy will be, such as data leak protection, adequate backups, and two-factor authentication.

It's much more difficult to have these conversations than to simply lock up everything and offer inadequate tools. But it's the right thing to do.

At this year's InformationWeek 500 Conference, C-level execs will gather to discuss how they're rewriting the old IT rulebook and accelerating business execution. At the St. Regis Monarch Beach, Dana Point, Calif., Sept. 9-11.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
JulieAnnaSD
50%
50%
JulieAnnaSD,
User Rank: Apprentice
8/17/2012 | 10:14:56 PM
re: 'Secure' Cloud File Sync Is The Wrong Move
Dropbox is a sharing tool built for the fast dissemination of information to large groups of people. SaaS products like virtual data rooms that promote security in comparison are built for storing and sharing sensitive information for a company or individual.

The products are built for two different purposes but unfortunately many businesses decide to go with services like Dropbox and the like because they are free. When you go with a free service you are not getting the same security level as a paid service specifically built for secure document retention. Unfortunately, most companies ignore the threat of security breaches and make decisions with, "that could never happen to me" in mind. The outcome of an information leak can be devastating to a company and Dropbox has had more than one occasion when a large security breach has caused accounts to be compromised and vulnerable.

I agree that IT and finance professionals should do their due diligence when looking for a service to use for their company - it is important to know what security measures are in place. When these companies do the research, they will see that there are a lot of other products out there with much higher security standards than Dropbox.

All that being said, if you want to share promotional items, or photos with friends, Dropbox is a fun easy system to use and it's free!
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
8/18/2012 | 1:54:21 AM
re: 'Secure' Cloud File Sync Is The Wrong Move
For what it's worth, one of the organizations that I used to work for was a small component of a much larger company and the much larger company defined security standards that we had to follow along with the various forms of compliance that we needed to handle.

At one of the quarterly IT leadership meetings, there was a presentation by the corporate information security guru about the product that all of the components were going to be using - storing data in the "private cloud" (although, back then we weren't visionaries and simply called it a co-location data center). After the demo, the discussion turned to other products that were available and the message was delivered that any other data storage facilities outside of the local security perimeter or the "private cloud" would lead to serious repercussions, including immediate termination. As a precedent, management had just terminated the ENTIRE IT staff of another component organization when it was found that they were using a commercially available, non approved solution.

Moral of the story - the data that most organizations have in their possession usually exceeds the worth of the organization and to trust that to an unvetted, insecure entity is corporate suicide.

Investigate these solutions, their vendors, the whole 9 yards. At this point in time, I always assume that any data that leaves my physical location is open and available to the rest of the world.

Andrew Hornback
InformationWeek Contributor
ANON1241526426595
50%
50%
ANON1241526426595,
User Rank: Apprentice
8/18/2012 | 5:10:06 PM
re: 'Secure' Cloud File Sync Is The Wrong Move
So you like DropBox and want those evil IT administrators and security people out of your way, I get it. In former columns you've shouted your dedication to the belief that user experience is the only business need or virtue.

It's obvious you don't understand the value of security at all. Too bad you're offering advice to business leaders who do need decent security. In fact many of their jobs depend on it. Hopefully, they won't make career-limiting moves based on your advice.

Eventually, real tools with a good user experience and decent security will prevail (think enterprise-managed private keys), and sloppy security schemes like DropBox's we-can-access-anything-we-want-whenever-we-want will fail. Until then, I have to hope people don't take you too seriously.
cxf
50%
50%
cxf,
User Rank: Apprentice
8/22/2012 | 12:10:52 AM
re: 'Secure' Cloud File Sync Is The Wrong Move
"It may make the security trolls feel better.." - the use of the world troll is befitting, since your background IS IN IT, according to the first few paragraphs in this piece.

Do you read what you write, Mr. Feldman?

--CIO.
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.